Details are sparse. They say that Flash versions 9.0.115.0 and 9.0.124.0 are vulnerable and that other versions may also be affected. There is no definitive word as to whether the vulnerability is for Windows only or across all Flash platforms. Exploitation could result in remote code execution or, failing that, crash the Flash player and likely the browser.

A Symantec DeepSight report on the bug says that two Chinese web sites have been found hosting the attack, although with different payloads.

Due to the lack of mitigating factors and the widespread use of Flash, Symantec has raised their ThreatCon level to 2.

[Update: Symantec has added new information indicating that the problem is worse that it seemed at first: "Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue. "]

About the Author

Larry Seltzer has been writing software for and English about computers ever sincemuch to his own amazementhe graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.